Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 1 answer
  • Subscribers 45 subscribers
  • Views 21932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android + OpenVPN 3.4.0 + SSL VPN = No Traffic

The G-Man

Hello,

Began experiencing an issue with our SSL VPN connections when some Android tablets updated OpenVPN Connect app from 3.3.4 to 3.4.0.

Symptom:
SSL VPN connections are made successfully in 3.4.0 but no traffic flows. OpenVPN 3.4.0 is configured to use the 'Legacy' setting. I tried the others to no avail. OpenVPN log will show this error repeating every minute or so:

"TUN write exception: write_some: Invalid argument"

Workaround:
After removing various deprecated options (according to OpenVPN log) and lots of trial and error with no success I eventually stumbled on a workaround. Despite "Compress SSL VPN traffic" being disabled in SSL VPN global settings the Sophos Firewall still seems to be doing something regarding compression. Only when I manually change the 'comp-lzo' parameter to 'yes' in the ovpn file does the connection start passing traffic again. This message is then displayed in the OpenVPN log:

"EVENT: COMPRESSION_ENABLED info='Asymmetric compression enabled. Server may send compressed data. This may be a potential security issue.' trans=TO_DISCONNECTED

Clearly this is not a good workaround with lots of devices/users. Is Sophos aware of this issue and will it be fixed?

Working OpenVPN 3.4.0 Config:

client
dev tun
proto udp
nobind
(keys removed)
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo yes
verb 3
reneg-sec 86400
remote x.x.x.x 8443 udp




This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, this is known - NC-124753, it is fixed in v19.5 MR-4 (Already available now) and v20.0.1 MR-1.
    VPN Enhancements: Sophos Firewall is now compatible with OpenVPN 3.0 clients. Users can download the compatible configuration file from the user portal.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello Vivek,

    I am using v19.5 MR-4. I think you are confusing this with the 'route-delay 4' issue, which is different to this. That command is already removed in my config, did not resolve my issue.

  • 0 in reply to Vivek Jagad

    Hi Vivek,

    Yes I did. I temporarily enabled "Compress SSL VPN traffic" that updates ovpn config 'comp-lzo yes' which allows the connection to work again. However I don't think this option is recommended (VPN compression vulnerabilities) and we also have Windows clients that I don't want to be affected when we download configs.

  • 0 in reply to The G-Man

    Hello there,

    I could reproduce your issue temporarily after upgrading Open VPN to 3.4.0 and having compression enabled.

    However, after disable Compression in the Sophos Firewall and disconnecting the OpenVPN connection from the mobile phone (after the automatic disconnect), I was able to Ping again.

    I would recommend you to open a case if you are still facing the issue and especially if you are able to replicate it. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Emmo,

    Can you please step this solution out step by step?

    I have clients out in the field already with profiles downloaded, does the steps you have tried involve re-downloading profiles?

    I have tried compression on and off again with no change to behaviour. My existing profiles have "comp-lzo no".

    XGS2100.

    Thanks,

  • 0 in reply to Hugh D

    Hello Hugh,

    Originally, I was running an old version of OpenVPN, downloaded the configuration with Compress SSL VPN Traffic enabled in the Sophos Firewall, connected, and it worked.
    Upgraded OpenVPN to 3.4.0, connected but I wasn’t able to Ping
    In the Firewall, I disable Compress SSL VPN Traffic, and this automatically disconnected the SSL VPN user
    After the client connected automatically again, I manually disconnected OpenVPN from the mobile phone
    Connected again, and Ping started working

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    What you describe still requires re-downloading profiles which is not ideal if you have lots in the field. 

    Is there not a fundamental issue here - if compression is already disabled on both the firewall and the client, why is the firewall pushing asymmetric compression? Disabled should mean disabled, and this problem should in theory not occur in the first place?

    I have opened a support case: 07203703

  • 0 in reply to The G-Man

    Hello Greg,

    As I mentioned, that worked for me, and I didn't re-download the configuration. 

    Also, ask the end users to check that in OpenvPN under Settings > Advanced Settings > Lecagy is selected.

    Thank you for the Case ID.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    I just want to point out to others that may be reading that it worked for you because you downloaded your profile when Compress SSL VPN Traffic was enabled. This function sets comp-lzo to yes in the profiles. If it is disabled comp-lzo is set to no in the profiles, which I imagine will be the case for a lot of users that had already downloaded profiles months/years previously and had no issue until this point. For those users - they will have to re-download the profiles (or manually edit existing ones) for this workaround to function.

    Further information on OpenVPN and deprecated compression here: https://community.openvpn.net/openvpn/wiki/Compression 

    Sreenivasulu Naidu's post below advises a future solution will be looked at which will hopefully take this into account.

  • 0 in reply to The G-Man

    Sophos Firewall is still clearly pushing compression on connection, even though it is marked as disabled. 

    We need a fix ASAP to stop the firewall pushing compression.

  • 0 in reply to Hugh D

    Hello Hugh,

    In the meantime, you can follow the workaround shared by Naidu's "Compression should be turned ON and keep the 'Legacy' mode on OpenVPN Connect."

    Hello Greg,

    Thank you for pointing out the part where I downloaded the configuration previously once Compression was selected.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Unfortunately this is not an option for me as all my exported profiles currently have 'comp-lzo yes' and I cant get my mobile clients to re-download profiles due to geographical restrictions

Reply Children
No Data
Unfiltered HTML